Why is CloudHSM used for?

Table of Contents

CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.

Is CloudHSM highly available?

Secure and highly-available by design AWS CloudHSM runs in your own Amazon Virtual Private Cloud (VPC), enabling you to easily use your HSMs with applications running on your Amazon EC2 instances. With CloudHSM, you can use standard VPC security controls to manage access to your HSMs.

What is a CloudHSM?

Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. Google manages the HSM cluster for you, so you don’t need to worry about clustering, scaling, or patching.

What level of compliance is CloudHSM?

FIPS 140-2 level 3
The HSMs provided by AWS CloudHSM comply with FIPS 140-2 level 3. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council .

What is a best practice recommended by AWS for using CloudHSM?

For latency-sensitive workloads, we recommend +1 redundancy. For applications requiring durability of newly generated keys, we recommend at least three HSM instances spread across all availability zones in a region. Cluster Capacity: You should create enough HSMs in your cluster to handle your workload.

Who can access HSM keys?

AWS CloudHSM provides you access to your HSMs over a secure channel to create users and set HSM policies. The encryption keys that you generate and use with CloudHSM are accessible only by the HSM users that you specify. AWS has no visibility or access to your encryption keys.

How is CloudHSM deployed?

The first option is to use VPC peering to allow traffic to flow between the SaaS provider’s HSM client VPC and your CloudHSM VPC, and to utilize a custom application to harness the HSM. The second option is to use KMS to manage the keys, specifying a custom key store to generate and store the keys.

What is the difference between CloudHSM and KMS?

The difference between KMS and CloudHSM is that you control your keys with CloudHSM. CloudHSM gives a single-tenant multi-AZ cluster, and it’s exclusive to you. KMS is multitenant; however, it uses HSMs within, but those are distributed over customer accounts, so it’s not exclusive only for you.

How does AWS CloudHSM work?

What is cloudhsm?

CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. CloudHSM is standards-compliant and enables you to export all of your keys to most other commercially-available HSMs, subject to your configurations.

How does cloudhsm backup my HSM clusters?

CloudHSM automatically backs up your HSM clusters periodically. When adding an HSM to a cluster, CloudHSM takes a backup from an active HSM in that cluster and restores it to the newly provisioned HSM. When deleting an HSM from a cluster, CloudHSM takes a backup of the HSM before deleting it.

What are the benefits of AWS cloudhsm?

Deploy secure, compliant workloads. Utilizing HSMs as the root of trust helps you demonstrate compliance with security, privacy and anti-tamper regulations such as HIPAA, FedRAMP and PCI. AWS CloudHSM enables you to build secure, compliant workloads with high reliability and low latency, using HSM instances in the AWS cloud.

What happens when I expand a cluster in cloudhsm?

When you expand a cluster, CloudHSM automatically provisions a new HSM as a clone of the other HSMs in the cluster. This is done by taking a backup of an existing HSM and restoring it to the newly added HSM. When you delete an HSM from a cluster, a backup is automatically taken.